Re: fun with smtpd, (two bugs)
Jason McIntyre wrote, On 05/15/14 13:54: the man page sates that: Both auth and auth-optional accept an optional table as a parameter. When provided, credentials are looked up in this table. but reading the new smtpd.conf(5) gives the impression that authtable is mandatory. I haven't checked the code but the following passes a check with smtpd -n listen on iwn0 tls auth listen on em0 tls auth-optional so it seems to be a valid syntax. it's why i added the word optional to the description. the syntax [table] is really ugly, and is hard to understand. we could do it, but i don;t want to. sometimes it's better to sacrifice being a million percent correct for clarity. The syntax may be ugly, but the vagueness for a novice such as myself is confusing. I wasted an hour with this exact issue the other day. I was looking for the problem in all the wrong places. I thought my certs were bad, my pki declaration was wrong, my email client was misconfigured. Finally, I decided to try around my table name. Voilà! The documentation is inconsistent and that's what threw me off. In smtpd.conf(5) on OpenBSD 5.5 for example, the listen on directive has the option auth authtable where the angle brackets are implied. But the accept | reject directive has the option for [!] domain domains [alias aliases] where the angle brackets are explicit. It should be exclusively one way or the other. If [table] is too ugly, then suffix all table place holders with table. So for example, the accept | reject directive I mentioned above would become for [!] domain domaintable [alias aliastable]. Then make a note that all place holders/variables must be encloded by angle brackets. Personally, I don't like that solution. I think being explicit with the syntax is the correct solution. It doesn't matter if it is ugly; it's the syntax that smtpd uses so it should be documented as such.
Re: fun with smtpd, (two bugs)
On Sat, Jun 07, 2014 at 12:22:35AM -0700, Clint Pachl wrote: Jason McIntyre wrote, On 05/15/14 13:54: the man page sates that: Both auth and auth-optional accept an optional table as a parameter. When provided, credentials are looked up in this table. but reading the new smtpd.conf(5) gives the impression that authtable is mandatory. I haven't checked the code but the following passes a check with smtpd -n listen on iwn0 tls auth listen on em0 tls auth-optional so it seems to be a valid syntax. it's why i added the word optional to the description. the syntax [table] is really ugly, and is hard to understand. we could do it, but i don;t want to. sometimes it's better to sacrifice being a million percent correct for clarity. The syntax may be ugly, but the vagueness for a novice such as myself is confusing. I wasted an hour with this exact issue the other day. I was looking for the problem in all the wrong places. I thought my certs were bad, my pki declaration was wrong, my email client was misconfigured. Finally, I decided to try around my table name. Voil?! but that is not down to my not wrapping authtable in [], right? The documentation is inconsistent and that's what threw me off. In smtpd.conf(5) on OpenBSD 5.5 for example, the listen on directive has the option auth authtable where the angle brackets are implied. But the accept | reject directive has the option for [!] domain domains [alias aliases] where the angle brackets are explicit. i don;t know how it looked in 5.5., but it is explicit now. It should be exclusively one way or the other. If [table] is too ugly, then suffix all table place holders with table. So for example, the accept | reject directive I mentioned above would become for [!] domain domaintable [alias aliastable]. Then make a note that all place holders/variables must be encloded by angle brackets. Personally, I don't like that solution. I think being explicit with the syntax is the correct solution. It doesn't matter if it is ugly; it's the syntax that smtpd uses so it should be documented as such. ok, here's what's there now: [auth | auth-optional authtable] ... Both auth and auth-optional accept an optional table as a parameter. i really don;t see the problem. still, i will add [] just now, ok? jmc
Re: fun with smtpd, (two bugs)
Jason McIntyre wrote, On 06/07/14 00:51: On Sat, Jun 07, 2014 at 12:22:35AM -0700, Clint Pachl wrote: Jason McIntyre wrote, On 05/15/14 13:54: the man page sates that: Both auth and auth-optional accept an optional table as a parameter. When provided, credentials are looked up in this table. but reading the new smtpd.conf(5) gives the impression that authtable is mandatory. I haven't checked the code but the following passes a check with smtpd -n listen on iwn0 tls auth listen on em0 tls auth-optional so it seems to be a valid syntax. it's why i added the word optional to the description. the syntax [table] is really ugly, and is hard to understand. we could do it, but i don;t want to. sometimes it's better to sacrifice being a million percent correct for clarity. The syntax may be ugly, but the vagueness for a novice such as myself is confusing. I wasted an hour with this exact issue the other day. I was looking for the problem in all the wrong places. I thought my certs were bad, my pki declaration was wrong, my email client was misconfigured. Finally, I decided to try around my table name. Voil?! but that is not down to my not wrapping authtable in [], right? The documentation is inconsistent and that's what threw me off. In smtpd.conf(5) on OpenBSD 5.5 for example, the listen on directive has the option auth authtable where the angle brackets are implied. But the accept | reject directive has the option for [!] domain domains [alias aliases] where the angle brackets are explicit. i don;t know how it looked in 5.5., but it is explicit now. It should be exclusively one way or the other. If [table] is too ugly, then suffix all table place holders with table. So for example, the accept | reject directive I mentioned above would become for [!] domain domaintable [alias aliastable]. Then make a note that all place holders/variables must be encloded by angle brackets. Personally, I don't like that solution. I think being explicit with the syntax is the correct solution. It doesn't matter if it is ugly; it's the syntax that smtpd uses so it should be documented as such. ok, here's what's there now: [auth | auth-optional authtable] ... Both auth and auth-optional accept an optional table as a parameter. i really don;t see the problem. still, i will add [] just now, ok? jmc You're right, I apologize. I just consulted the current smtpd.conf(5) via openbsd.org and the man page looks much improved since OBSD 5.5 release. Thanks Jason.
Re: fun with smtpd, (two bugs)
On Thu, May 15, 2014 at 09:53:39PM +0059, Jason McIntyre wrote: On Thu, May 15, 2014 at 10:40:27PM +0200, Frank Brodbeck wrote: Hi Jason, On Wed, May 14, 2014 at 11:16:59PM +0059, Jason McIntyre wrote: it's still missing some . also i think we can wholly simplify the auth/auth-optional line. Heh. Thought I found all, thanks for fixing the rest. -.Op Ic auth | auth-optional | auth Ar authtable | Ic auth-optional Ar authtable +.Op Ic auth | auth-optional Aq Ar authtable the man page sates that: Both auth and auth-optional accept an optional table as a parameter. When provided, credentials are looked up in this table. but reading the new smtpd.conf(5) gives the impression that authtable is mandatory. I haven't checked the code but the following passes a check with smtpd -n listen on iwn0 tls auth listen on em0 tls auth-optional so it seems to be a valid syntax. it's why i added the word optional to the description. the syntax [table] is really ugly, and is hard to understand. Why is it ugly and hard to understand??? I think it's rather obvious that [] signifies optional and signifies the name of a table. we could do it, but i don;t want to. sometimes it's better to sacrifice being a million percent correct for clarity. Eh? How can giving incorrect information help clarity? That's a bit strange. -- Creamy! 3
Re: fun with smtpd, (two bugs)
Hi Jason, On Wed, May 14, 2014 at 11:16:59PM +0059, Jason McIntyre wrote: it's still missing some . also i think we can wholly simplify the auth/auth-optional line. Heh. Thought I found all, thanks for fixing the rest. -.Op Ic auth | auth-optional | auth Ar authtable | Ic auth-optional Ar authtable +.Op Ic auth | auth-optional Aq Ar authtable the man page sates that: Both auth and auth-optional accept an optional table as a parameter. When provided, credentials are looked up in this table. but reading the new smtpd.conf(5) gives the impression that authtable is mandatory. I haven't checked the code but the following passes a check with smtpd -n listen on iwn0 tls auth listen on em0 tls auth-optional so it seems to be a valid syntax. Index: usr.sbin/smtpd/smtpd.conf.5 === RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v retrieving revision 1.118 diff -u -r1.118 smtpd.conf.5 --- usr.sbin/smtpd/smtpd.conf.5 15 May 2014 19:36:45 - 1.118 +++ usr.sbin/smtpd/smtpd.conf.5 15 May 2014 20:40:52 - @@ -594,7 +594,9 @@ .Op Ic port Ar port .Op Ic tls | tls-require | tls-require verify | smtps | secure .Op Ic pki Ar pkiname -.Op Ic auth | auth-optional Aq Ar authtable +.Oo Ic auth | auth-optional +.Op Aq Ar authtable +.Oc .Op Ic tag Ar tag .Op Ic hostname Ar hostname .Op Ic hostnames Aq Ar names
Re: fun with smtpd, (two bugs)
Hi, here's a new version for the manpage bug Creamy mentioned. Frank. Index: usr.sbin/smtpd/smtpd.conf.5 === RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v retrieving revision 1.117 diff -u -r1.117 smtpd.conf.5 --- usr.sbin/smtpd/smtpd.conf.5 16 Feb 2014 21:59:34 - 1.117 +++ usr.sbin/smtpd/smtpd.conf.5 14 May 2014 21:11:17 - @@ -109,7 +109,7 @@ .Ic from .Op Ic \! .Ic source -.Ic table +.Aq Ar table .Xc The rule matches if the connection is made from a client whose address is declared in the table @@ -121,7 +121,7 @@ .It Xo .Ic sender .Op Ic \! -.Ic senders +.Aq Ar senders .Xc If specified, the rule will only be matched if the sender email address is found in the table @@ -253,7 +253,7 @@ .It Xo .Ic recipient .Op Ic \! -.Ar recipients +.Aq Ar recipients .Xc If specified, the rule will only be matched if the recipient email address is found in the table @@ -307,7 +307,7 @@ .Ic relay .Op Ic backup Op Ar mx .Op Ic as Ar address -.Op Ic source Ar source +.Op Ic source Aq Ar source .Bk -words .Op Ic hostname Ar name .Op Ic hostnames Ar names @@ -592,7 +592,11 @@ .Op Ic port Ar port .Op Ic tls | tls-require | tls-require verify | smtps | secure .Op Ic pki Ar pkiname -.Op Ic auth | auth-optional | auth Ar authtable | Ic auth-optional Ar authtable +.Oo +.Ic auth | auth-optional | auth +.Aq Ar authtable +.Ic | auth-optional Aq Ar authtable +.Oc .Op Ic tag Ar tag .Op Ic hostname Ar hostname .Op Ic hostnames Ar names -- Frank Brodbeck f...@guug.de
Re: fun with smtpd, (two bugs)
On Wed, May 14, 2014 at 11:10:03PM +0200, Frank Brodbeck wrote: Hi, here's a new version for the manpage bug Creamy mentioned. Frank. it's still missing some . also i think we can wholly simplify the auth/auth-optional line. how's this? jmc Index: smtpd.conf.5 === RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v retrieving revision 1.117 diff -u -r1.117 smtpd.conf.5 --- smtpd.conf.516 Feb 2014 21:59:34 - 1.117 +++ smtpd.conf.514 May 2014 22:13:44 - @@ -109,7 +109,7 @@ .Ic from .Op Ic \! .Ic source -.Ic table +.Aq Ar table .Xc The rule matches if the connection is made from a client whose address is declared in the table @@ -121,7 +121,7 @@ .It Xo .Ic sender .Op Ic \! -.Ic senders +.Aq Ar senders .Xc If specified, the rule will only be matched if the sender email address is found in the table @@ -253,7 +253,7 @@ .It Xo .Ic recipient .Op Ic \! -.Ar recipients +.Aq Ar recipients .Xc If specified, the rule will only be matched if the recipient email address is found in the table @@ -304,17 +304,18 @@ This parameter may use conversion specifiers that are expanded before use .Pq see Sx FORMAT SPECIFIERS . .It Xo +.Bk -words .Ic relay .Op Ic backup Op Ar mx .Op Ic as Ar address -.Op Ic source Ar source -.Bk -words +.Op Ic source Aq Ar source .Op Ic hostname Ar name -.Op Ic hostnames Ar names -.Ek +.Op Ic hostnames Aq Ar names .Op Ic pki Ar pkiname .Op Ic tls | verify +.Ek .Xc +.Pp Mail is relayed. The routing decision is based on the DNS system. .Pp @@ -407,12 +408,13 @@ .Ar host .Op Ic auth Aq Ar auth .Op Ic as Ar address -.Op Ic source Ar source +.Op Ic source Aq Ar source .Op Ic hostname Ar name -.Op Ic hostnames Ar names +.Op Ic hostnames Aq Ar names .Op Ic pki Ar pkiname .Op Ic verify .Xc +.Pp Mail is relayed through the specified .Ar host expressed as a URL. @@ -477,7 +479,7 @@ parameter is specified, .Xr smtpd 8 will explicitly bind to an address found in the table referenced by -.Ar table +.Aq Ar source when connecting to the relay. If the table contains more than one address, they are picked in turn each time a new connection is opened. @@ -592,13 +594,14 @@ .Op Ic port Ar port .Op Ic tls | tls-require | tls-require verify | smtps | secure .Op Ic pki Ar pkiname -.Op Ic auth | auth-optional | auth Ar authtable | Ic auth-optional Ar authtable +.Op Ic auth | auth-optional Aq Ar authtable .Op Ic tag Ar tag .Op Ic hostname Ar hostname -.Op Ic hostnames Ar names +.Op Ic hostnames Aq Ar names .Op Ic mask-source .Ek .Xc +.Pp Specify an .Ar interface and @@ -662,7 +665,7 @@ .Ic auth and .Ic auth-optional -accept a table as parameter. +accept an optional table as a parameter. When provided, credentials are looked up in this table. Credentials format is described in .Xr table 5 .
Re: fun with smtpd, (two bugs)
On Sat, May 10, 2014 at 10:39:22PM +0200, Frank Brodbeck wrote: On Sat, May 10, 2014 at 07:03:14PM +0100, Creamy wrote: So the manual page is wrong, or at least misleading, because the syntax of the examples differs between from, sender, and for, so it's not clear whether the angle brackets are intended to be literally included, or whether they are just markup in the man page to indicate, 'name of table'. And it's going to fix itself? Don't think so... Index: smtpd.conf.5 === RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v retrieving revision 1.117 diff -u -r1.117 smtpd.conf.5 --- smtpd.conf.5 16 Feb 2014 21:59:34 - 1.117 +++ smtpd.conf.5 10 May 2014 20:40:02 - @@ -109,7 +109,7 @@ .Ic from .Op Ic \! .Ic source -.Ic table +.Aq Ar table .Xc The rule matches if the connection is made from a client whose address is declared in the table @@ -121,7 +121,7 @@ .It Xo .Ic sender .Op Ic \! -.Ic senders +.Aq Ar senders .Xc If specified, the rule will only be matched if the sender email address is found in the table @@ -253,7 +253,7 @@ .It Xo .Ic recipient .Op Ic \! -.Ar recipients +.Aq Ar recipients .Xc If specified, the rule will only be matched if the recipient email address is found in the table @@ -307,7 +307,7 @@ .Ic relay .Op Ic backup Op Ar mx .Op Ic as Ar address -.Op Ic source Ar source +.Op Ic source Aq Ar source .Bk -words .Op Ic hostname Ar name .Op Ic hostnames Ar names @@ -592,7 +592,7 @@ .Op Ic port Ar port .Op Ic tls | tls-require | tls-require verify | smtps | secure .Op Ic pki Ar pkiname -.Op Ic auth | auth-optional | auth Ar authtable | Ic auth-optional Ar authtable +.Op Ic auth | auth-optional | auth Aq Ar authtable | Ic auth-optional Aq Ar authtable Shouldn't that be: +.Op Ic auth | auth-optional | auth Aq Ar authtable Aq | Ic auth-optional Ar authtable ??? Looks like it fixed itself incorrectly :-))) .Op Ic tag Ar tag .Op Ic hostname Ar hostname .Op Ic hostnames Ar names -- Frank Brodbeck f...@guug.de -- Creamy! 3
Re: fun with smtpd, (two bugs)
Shouldn't that be: +.Op Ic auth | auth-optional | auth Aq Ar authtable Aq | Ic auth-optional Ar authtable ??? Looks like it fixed itself incorrectly :-))) :-P But you're right, the fix was wrong, missed that one. But it doesn't work your way either. If I understand mdoc(7) correctly the argument list of Aq is closed by end of line. Have another look at this tonight. Frank. -- Frank Brodbeck f...@guug.de
Re: fun with smtpd, (two bugs)
Le 10/05/2014 17:54, Creamy a écrit : table creamy db:/etc/mail/creamy.db table secrets db:/etc/mail/secrets.db accept sender creamy for domain example.com relay via smtps+auth://foo...@smtp.creamylan.lan auth secrets Shouldn't it be : accept sender creamy for domain example.com ...
Re: fun with smtpd, (two bugs)
On Sat, May 10, 2014 at 06:48:18PM +0200, Denis Fondras wrote: Le 10/05/2014 17:54, Creamy a ?crit : table creamy db:/etc/mail/creamy.db table secrets db:/etc/mail/secrets.db accept sender creamy for domain example.com relay via smtps+auth://foo...@smtp.creamylan.lan auth secrets Shouldn't it be : accept sender creamy for domain example.com ... Examples from the man page: sender [!] senders if specified, the rule will only be matched if the sender email address is found in the table senders. for [!] domain domain [alias aliases] this rule applies to mail destined for the specified domain. for [!] domain domains [alias aliases] this rule applies to mail destined to domains which are part of the table domains So it strongly implies that sender always takes the name of a table as an argument. I've tested this, and yes, as you suggest it accepts either the name of a table inclosed in angle brackets or a literal string without. So the manual page is wrong, or at least misleading, because the syntax of the examples differs between from, sender, and for, so it's not clear whether the angle brackets are intended to be literally included, or whether they are just markup in the man page to indicate, 'name of table'. -- Creamy! 3
Re: fun with smtpd, (two bugs)
On Sat, May 10, 2014 at 07:03:14PM +0100, Creamy wrote: So the manual page is wrong, or at least misleading, because the syntax of the examples differs between from, sender, and for, so it's not clear whether the angle brackets are intended to be literally included, or whether they are just markup in the man page to indicate, 'name of table'. And it's going to fix itself? Don't think so... Index: smtpd.conf.5 === RCS file: /cvs/src/usr.sbin/smtpd/smtpd.conf.5,v retrieving revision 1.117 diff -u -r1.117 smtpd.conf.5 --- smtpd.conf.516 Feb 2014 21:59:34 - 1.117 +++ smtpd.conf.510 May 2014 20:40:02 - @@ -109,7 +109,7 @@ .Ic from .Op Ic \! .Ic source -.Ic table +.Aq Ar table .Xc The rule matches if the connection is made from a client whose address is declared in the table @@ -121,7 +121,7 @@ .It Xo .Ic sender .Op Ic \! -.Ic senders +.Aq Ar senders .Xc If specified, the rule will only be matched if the sender email address is found in the table @@ -253,7 +253,7 @@ .It Xo .Ic recipient .Op Ic \! -.Ar recipients +.Aq Ar recipients .Xc If specified, the rule will only be matched if the recipient email address is found in the table @@ -307,7 +307,7 @@ .Ic relay .Op Ic backup Op Ar mx .Op Ic as Ar address -.Op Ic source Ar source +.Op Ic source Aq Ar source .Bk -words .Op Ic hostname Ar name .Op Ic hostnames Ar names @@ -592,7 +592,7 @@ .Op Ic port Ar port .Op Ic tls | tls-require | tls-require verify | smtps | secure .Op Ic pki Ar pkiname -.Op Ic auth | auth-optional | auth Ar authtable | Ic auth-optional Ar authtable +.Op Ic auth | auth-optional | auth Aq Ar authtable | Ic auth-optional Aq Ar authtable .Op Ic tag Ar tag .Op Ic hostname Ar hostname .Op Ic hostnames Ar names -- Frank Brodbeck f...@guug.de